[squid-users] AD Ldap (automatically take the user that is logging on PC)

erdosain9 erdosain9 at gmail.com
Mon Aug 22 16:24:22 UTC 2016


Hi. Im having problems with Kerberos.
I cannot do the keytab...

kinit squid (all good)
-----------------------------------------------------------------------------------------------------
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: squid at xxxxxxx.LAN

Valid starting     Expires            Service principal
22/08/16 13:17:55  22/08/16 23:17:55  krbtgt/xxxxxx.LAN at xxxxx.LAN (THIS IS
NOT STRANGE???!--- I mean krbtgt/*EXAMPLE.LAN at EXAMPLE.LAN*)
	renew until 23/08/16 13:17:51
-------------------------------------------------------------------------------------------------------
msktutil -c -b "CN=Computers" -s HTTP/squid.xxxxx.lan -k
/etc/squid/PROXY.keytab --computer-name SQUIDPROXY-K --upn
HTTP/squid.xxxxxx.lan --server d02.xxxxxx.lan --verbose --enctypes 28

 -- init_password: Wiping the computer password structure
 -- generate_new_password: Generating a new, random password for the
computer account
 -- generate_new_password:  Characters read from /dev/udandom = 84
 -- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-cfazrB
 -- reload: Reloading Kerberos Context
 -- finalize_exec: SAM Account Name is: SQUIDPROXY-K$
 -- try_machine_keytab_princ: Trying to authenticate for SQUIDPROXY-K$ from
local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Client not found in Kerberos database)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for host/localhost from
local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Client not found in Kerberos database)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_password: Trying to authenticate for SQUIDPROXY-K$ with
password.
 -- create_default_machine_password: Default machine password for
SQUIDPROXY-K$ is squidproxy-k
 -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client
not found in Kerberos database)
 -- try_machine_password: Authentication with password failed
 -- try_user_creds: Checking if default ticket cache has tickets...
 -- finalize_exec: Authenticated using method 4

 -- ldap_connect: Connecting to LDAP server: d02.xxxxxx.lan try_tls=YES
 -- ldap_connect: Connecting to LDAP server: d02.xxxxxx.lan try_tls=NO
SASL/GSSAPI authentication started
SASL username: squid at xxxxxx.LAN
SASL SSF: 56
SASL data security layer installed.
 -- ldap_connect: LDAP_OPT_X_SASL_SSF=56

 -- ldap_get_base_dn: Determining default LDAP base: dc=xxxxxxx,dc=LAN
 -- ldap_check_account: Checking that a computer account for SQUIDPROXY-K$
exists
 -- ldap_check_account: Computer account not found, create the account

No computer account for SQUIDPROXY-K found, creating a new one.
dn: cn=SQUIDPROXY-K,CN=Computers,dc=xxxxx,dc=LAN
Error: ldap_add_ext_s failed (Insufficient access)
 -- ~KRB5Context: Destroying Kerberos Context


-------------------------------------------------------------------------------------

*/etc/krb5.conf
*

[libdefaults]
    default_realm = XXXXXXX.LAN
    dns_lookup_kdc = no
    dns_lookup_realm = no
    ticket_lifetime = 24h
    default_keytab_name = /etc/squid/PROXY.keytab

; for Windows 2003
;    default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
;    default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
;    permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

; for Windows 2008 with AES
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5

[realms]
    EMPDHPR.LAN = {
        kdc = d02.xxxxxx.lan
        admin_server = d02.xxxxxxx.lan
        default_domain = xxxxxxxx.lan
    }



What i can do??
Is necessary another info???




--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/AD-Ldap-automatically-take-the-user-that-is-logging-on-PC-tp4678994p4679081.html
Sent from the Squid - Users mailing list archive at Nabble.com.


More information about the squid-users mailing list